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1. INTRODUCTION 

Security and privacy on smart mobile devices have become the prime concerns due to their increasing 
popularity resulting in their high usage for accessing sensitive information and as a critical platform for 
business transactions [1]-[5]. With time, mobile devices are offering numerous novel functions of high quality 
which further increase the consumers’ interest besides rising user’s susceptibility to fraud [6]-[8]. Research has 
revealed that 82% of people in the age group 25-35 years along with 70% of household users make use of 
mobile phones to perform online banking [9]. Furthermore, it can be inferred from Figure | that millennials 
prefer the usage of a browser or app on mobile devices in comparison to other existing banking options [10]. 
Performing secure transaction and accessing such sensitive information demands security measures which must 
deliver strong security against impending threats as well as offer better user adoptability [2]. 

Security modernisation in the current era still finds the use of single-factor or password-based 
approach for access management across digital channels as they offer affordable deployment, easy revocation 
in the event of a compromise. Existing digital application services require a multitude of credentials in the form 
of PINs and passwords to be remembered by individual users resulting in higher proclivity of unsafe 
password selection by users for easy memorisation, which proves to be as one of the considerable concerns 
associated with it [11]. However, in the current era, rapid modernisation and development in computing 
technology, susceptibility to dictionary attacks [12], copious key-logger [13] and password hacking tools are 
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available [14], [15], making password retrieval an easier task for intruders. Further, passwords can be shared, 
forgotten or observed thus forming an impractical authentication solution. 
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Figure 1. A preferred device for sensitive information access [Adopted from [10]] 

















Various schemes replacing complex passwords with hardware tokens, chip modules and smart cards 
have been introduced [16]-[18] which provide higher degree of security but lack user ergonomics, prove 
inconsistent, can be lost, duplicated, stolen, expensive and unmanageable, therefore hampering their 
adoptability [19], [20]. Also, there exist security schemes like [21], [22] which failed to operate on limited 
resource devices such as smart mobile phones that are exceedingly used for sensitive information exchange 
thereby making them extremely vulnerable [1], [23]. Furthermore, a variety of facilities exist like cloud 
technology, which aim at offering many services to its customers. But, the data sharing approach utilized by 
the cloud technology uncovers many flaws and hence results in its susceptibility to numerous attacks [24]-[27]. 

User adoptability is a prime concern for digital vendors. Currently, users desire for convenient and 
simple experiences. The confluence of user adoptability and security challenges developed a momentous rise 
in biometric security solutions. According to a report by the World Economic Forum (WEF) [28], biometrics 
can provide a potential solution offering security and user conveniences, particularly in financial services. 
Nevertheless, there exist multiple points where biometric systems can be breached [29]. Some threats have 
been addressed by researchers in [30], and still, biometric systems remain susceptible to spoofing and smudge 
attacks. Even if there exist systems offering protection to biometric templates by revoking biometric 
credentials, such solutions have limited availability, and underdeveloped standards exist to evaluate such 
solutions. Unfortunately, biometric systems appear to be highly susceptible to replay attacks [19]. Hence, 
security solutions based on biometrics alone offer weaker security even if they provide high user adoptability. 

The ultimate goal of the paper is to contemplate numerous security solutions in access management 
offered in the past. The remaining paper is organised as: Section 2 is entirely devoted to a detailed survey of 
biometric authentication and non-biometric authentication. Section 3 emphasises the potential challenges and 
open issues as revealed by the research work reviewed. Finally, Section 4 concludes the paper with clinching 
remarks. 


2. BACKGROUND WORK 

This section involves the detailed study of numerous security solutions prevalent in the field of secure 
user authentication. The research further involves security schemes sectioned into two categories: biometric- 
based and non-biometric based schemes. 


2.1. Biometric-based Systems 

A large number of security mechanisms are based on biometrics which includes both the behavioural 
and physical/physiological characteristics of a person. Some security solutions based on biometrics have been 
reviewed as under. 
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2.1.1 Authentication based on Physiological Characteristics 

The physical features or characteristics of an individual form the basis for physiological based 
authentication biometric schemes. Face, retina/iris, palm/hand geometry, fingerprint form the physical features 
which are relatively unchanged with the passage of time. 
a. Fingerprint recognition 

Fingerprint authentication is a hot research area for authentication on mobile phones. The 
authentication schemes based on fingerprints have been already implemented on mobile phones and can be 
seen as a user adoptable solution for identifying an individuals’ identity. In [31], a fingerprint authentication 
scheme has been proposed, which is being implemented as an Android application and running on actual 
mobile devices. Three authentication algorithms for fingerprint processing have been introduced each of which 
is evaluated according to their accuracy rate and speed. While in [32], a secure, low-cost, and robust fingerprint 
authentication scheme on mobile phone devices has been proposed. The system has been implemented using 
an OpenCV (Computer Vision) library and Android. The RGB matching algorithm has been utilised. These 
fingerprint-based authentication schemes appear cheap, easy to use without consuming much battery power on 
resource-constrained mobile phone devices. Nevertheless, the lack of hardware on mobile devices capable of 
complete acquisition of entire fingerprint along with incompatibility of fingerprint matching algorithms in the 
presence of dirt or cuts, makes security solutions based on fingerprint appear as a weak contender in the field 
of forming a secure and adoptable user solution. 
b. Face recognition 

The face recognition-based authentication schemes involve the use of facial features obtained from 
video frames or digital image for verification or identification of an individual. The face recognition also forms 
a potential research area in the field of mobile authentication. The authors in [33] have introduced an efficient 
open face recognition system on the Android platform. The proposed system implements face, eye detection, 
LBP (Local Binary Pattern) for feature extraction, pre-processing for Region of Interest (ROI), feature 
dimensionality reduction based on Linear Discriminant Analysis (LDA) referred to as Fisherface and Principal 
Component Analysis (PCA) referred to as Eigenface, and Euclidean distance as a minimum distance classifier. 
The experimental results have attained 96.0% accuracy in face recognition by implementing the Fisherface 
algorithm and 93.8% accuracy with the Eigenface algorithm. Face forms the leading biometric trait to be 
considered on mobile phone devices [6], [34] in comparison to fingerprint and iris. Even though the 
authentication scheme is mostly acceptable by mobile phone users still there exists issues regarding the 
performance of the security solution regarding certain conditions like face angles, poor lighting conditions, and 
diverse expressions. 


2.1.2 Authentication based on Behavioural Characteristics 

Keystroke dynamics or typing rhythm, signature, voice, gait and behaviour profiling form the 
behavioural traits for the authentication systems based on behavioural biometrics. 
a. Behaviour Profiling 

How the individuals interact with their mobile devices to avail numerous services form the basis of 
identification in such techniques; examples include applications usage, location etc. In [35], behavioural 
biometrics data has been collected and analysed from different Android mobile devices to provide a solution 
for active authentication aimed to verify the identity of a legitimate user continuously. Four biometric 
parameters: i) text entered through a soft keyboard, ii) device's physical location as per GPS (outdoors) or Wi- 
Fi (indoors) ii) used applications, iv) visited websites have been considered. A classifier has been implemented 
and tested for every modality, and these classifiers have been organised in a parallel binary-decision fusion 
design. Further, A novel access control mechanism based on particular user context has been implemented in 
[36], which dynamically grants or revokes privileges to users. The authors have worked on the Android 
restriction techniques. The context implementation is capable of differentiating between various closely located 
sub-areas within the same location. The setting in this paper has been defined in terms of time and location, 
the location is specified in terms of visible Wi-Fi access points together with their signal strengths, in addition 
to cellular triangulation and GPS as per availability. Even though, such security schemes seem to be feasible 
on mobile phone devices. Nevertheless, performance inconsistency resulting from unexpected interaction by 
users’ is the primary weakness experienced by such systems. 
b. Keystroke Dynamics 

An individuals' typing rhythm and manner are being utilised by this approach. Keystroke dynamics 
found their place on mobile phone devices the long time ago. The authors in [37] aim to improve the existing 
systems based on the keystroke dynamics authentication to enhance the security of smartphones by increasing 
user ergonomics, allowing a user to change the PIN without Keystroke-Dynamics-Based-Authentication 
(KDA) system to be retrained. The system can distinguish between an imposter and a legitimate user, notably 
when the users change their passwords. Overall in contrast to physiological authentication-based schemes, 
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behavioural biometrics offer a solution to attain transparent active authentication without any additional 
hardware requirements. Thus, forming a cheaper solution as compared to physiological authentication schemes. 
From the survey conducted, the physiological authentication schemes emerge to be vulnerable to replay attacks, 
where the intruder can exploit the images of the physical features by replaying them later. Moreover, in the 
case of behavioural authentication schemes compulsion for enhancing the security exists. Several approaches 
can be adopted to thwart such susceptibilities at the same time strengthen security. 

In [38], a framework combining the permuted sequence forming a behavioural fingerprint with the 
physiological fingerprint to bring together the reliability and accuracy of each has been proposed. Behavioural 
fingerprint acts as a firewall which delays or blocks unauthorised access to the system in case the user's 
fingerprint was compromised. The proposed behavioural fingerprint framework identifies the root of a 
fingerprint and its fingerprint sequence. It is more efficient than the multimodal biometric approaches without 
requiring any additional hardware. Further, in [39], a biometric multimodal system has been proposed, which 
utilises biometric characteristics like iris, face and periocular for access control. Multi-modal fusion has been 
performed using iris, face and periocular data and weighted fusion approach have been utilised for fusing 
comparison score of distinctive feature extraction schemes. This method explores numerous score-level fusion 
to use the complementary information from the three modalities. Table 1 has formulated the various 
contributions and allied weaknesses. 


2.2. Non-Biometric-based Systems 

Other than biometric-based security solutions, researches have been directed on security schemes 
centred on modified passwords, social networks, location information, public key cryptography, smart devices 
and permission control on mobile devices. 

In [41], the authors have put forward a novel method to strengthen the access control mechanism 
based on passwords. The level of difficulty in breaching the password is increased by adding free random text 
which further makes the system immune against pre-computed rainbow and dictionary attacks in addition to 
shoulder surfing and replay attacks. In [42], a suitable and effective scheme for LAN has been proposed, which 
solves complex issues such as authentication, management, and authorisation, thus simplifying the various 
network security measures and policies internal to the network. A novel access control scheme has been 
introduced which makes use of User-Access-Control-Table (UAT) and USB in Local-Area-Network (LAN). 
It provides privilege management in LAN at smaller costs. 

A novel Wi-Fi authentication mechanism has been presented in [43] implementing social networks as 
the criteria for providing more user-friendliness and secure authentication. The system abandons the centralized 
approach which entrenches social networks for Wi-Fi authentication instead the system has introduced a 
decentralized approach EAP-Soc-TLS, for authorization and authentication of Wi-Fi access points and 
numerous additional devices, thus providing a much better solution in terms of scalability than the conventional 
centralized approaches which face single point failure problems and raise privacy concerns. A practical and 
secure authentication mechanism founded on smart cards has been proposed in [21]. The proposed system 
delivers protection against various susceptibilities while at the same time improving existing security schemes. 
The mechanism permits users to select their passwords conveniently with the privilege of modifying it offline. 
The smart card doesn't hold any crucial information, thus safeguarding against stolen user smartcard risk. 

In [44], the authors proposed a bilateral recurring authentication method namely Zero-Effort- 
Bilateral-Recurring-Authentication (ZEBRA). The system utilises a hardware token in the form of a bracelet 
which has built-in radio, gyroscope, and accelerometer to provide continued authentication. The signals sent 
from the bracelet worn on the user's wrist are correlated with the terminal's operations to confirm the continued 
presence of the user if the two movements correspond according to a few coarse-grained actions. In [45], 
location information has been used as a modality for user authentication. The paper has presented a novel 
algorithm as Hidden Markov Model accompanied with marginal smoothing method for location authentication. 
The proposed scheme outperforms other methods regarding the Equal Error Rate (EER) of 20.73%. However, 
the requirement to possess information related to genuine user routine leaves the arrangement vulnerable to 
attacks plus the scheme should consider fusion with other modalities to achieve better performance. In [46], 
sensitive data leakage prevention mechanism for Android mobile devices has been proposed. Malicious 
applications are detected which are responsible for the leakage of critical data utilising J8-classification 
algorithm. The scheme achieved 98.6% accuracy in detection of benign and malicious apps. Table 2 has framed 
the pros and cons of numerous non-biometric schemes discussed earlier as follows: 
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Table 1. Review of biometric schemes 





Author 


Contribution 


Limitations 





(Andreeva et al., 2012) 
[21] 


(Kavita et al., 2013) [32] 


(Conti et al., 2014) [31] 


(Darwaish et al., 2014) 
[2] 
(Tsai et al., 2014) [37] 


(Daniel et al., 2015) [19] 


(Fridman et al., 2015) 
[33] 
(Javier et al., 2015) [40] 


(Jiawei et al., 2015) [33] 


(Kiran et al., 2015) [39] 


(Maria et al., 2015) [6] 


(Meng et al., 2015) [22] 


(Shebaro et al., 2015) 
[36] 


(Yang et al., 2015) [11] 


(Teo et al., 2017) [38] 


Proposes Continuous access _ control 
mechanism exploiting heart sounds. 


Proposed a secure, low cost, and robust 
biometric authentication scheme on 
mobile phones. 


Presented a biometric authentication 
scheme as an Android application in real- 
time mobile devices. 

Introduced _ offline — face-recognition 
mechanism on mobile devices. 

Proposed an improved keystroke 
dynamics authentication mechanism. 


Proposed a mechanism to thwart reply 
attack aiming face recognition on smart 
devices. 

Designed an _ active authentication 
mechanism on mobile devices. 

Designed a novel software-based fake 
detection technique thwarting fraudulent 
access to numerous biometric systems. 


Presented a face recognition system titled 
XFace aimed for the Android platform. 
Proposed a biometric multi-modal system 
incorporating biometric characteristics 
like iris, face and periocular for access 
control. 


Introduced a biometric multimodal 
security mechanism on mobile devices. 

A novel authentication framework 
implementing multi-modal biometric user 
authentication. 


Presented a novel access control 
mechanism dynamically granting or 
revoking privileges to users. 

Addressed two possible complications 
related to implicit authentication. 


Designed a new framework combining the 
permuted sequence forming a behavioural 
fingerprint with the physiological 
fingerprint. 


Prolonged authentication can't be expected by the 
system as the heart sound conditions of humans do not 
remain the same with time. 

A system is established on BAN engages complex 
construction and several sensors, hindering adequate 
user adoptability. 

Risk of intrusion exists during data transmission. 
Lacks in obtaining crucial features as low definition 
camera is considered. 

Factors like background, lighting, and orientation 
need to be considered hindering user adoptability. 
Performance analysis regarding the accuracy of the 
system and the resources consumed on mobile devices 
has not been done. 

Higher false acceptance rate while contemplated 
smaller data-set. 

Lacks in a complete acquisition of the fingerprint thus 
reducing recognition rate and hence user adaptability. 
Comparison with various available state-of-art 
algorithms is desired. 

Discards the retraining phase. 

Authentication failure is not being handled 
appropriately leading to reduced user ergonomics. 
Susceptible to smudge attacks, accelerometer, timing 
attacks, keystroke inference attacks. 

Various factors such as environmental conditions, and 
camera settings etc., are not considered. 
Implementation on computer systems only. 

Utilized GPS as Location classifier, which fails to 
deliver precise authentication. 

Implementation is performed on computer systems 
and not on mobile devices. 

The state-of-art algorithms not specified. 


The small dataset has been contemplated. 


Different distances to a camera, camera properties, 
face angles and expressions have not been 
contemplated. 

Requires high definition camera and incurs a high 
computation cost. 

Performance analysis regarding the limited resources 
of a smartphone such as memory and _ battery 
consumption has not been done. 

Acquisition under extremely controlled situations to 
acquire iris hindering user adoptability. 

Have considered touch screen dynamic demanding 
high performance and accuracy, which is difficult to 
achieve on mobile devices. 

Susceptible to touch logger detection attacks. 

16% of false positives have been found. 

Suffers from memory overhead. 


Performance on smartphones on which the implicit 
authentication is widely implemented is not shown. 
The dataset with weak modalities has been 
contemplated. 

Vulnerable to mimic attacks, synthetic attack, sensor- 
sniffing attacks. 

Usability needs to be taken into consideration as the 
sequence must be memorised by the user. 

Additional hardware requirements as the primary 
sensor for fingerprint acquisition is desired. 
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Table 2. Review of non-biometric schemes 








Author Contribution Limitations 

(Zhang et al., 2010) [42] A novel scheme LAN's access control e USB as additional hardware. 
centred on UAT and USB in LAN. e Lacks in maintaining user ergonomics. 

(Aboud et al., 2014) [17] Presented an effective and secure e Usage of an additional token shall prove 
authentication mechanism founded upon expensive for service provider and cause 
smart cards. difficulty to users. 

(Durmus et al., 2014) [43] Presented a novel Wi-Fi authentication e Demands profile of owner on the social 
mechanism implementing social networks network. 
as the criteria for providing a more user- e Privacy concerns exist as complete friendship 
friendly and secure authentication information is anticipated to be open for all. 
mechanism. . Security concerns arise as worn-out caches used 


to perform offline authentication. 
e Ownership related issues are not contemplated. 


(Shrirang et al., 2014) [44] Proposed an active authentication scheme —e Lacks in user adoptability. 
ZEBRA. e —_ Bracelet as an additional hardware requirement. 

(Upal and Rama., 2016) [45] Presented an active authentication system e A requirement to have information related to 
employing trace history. genuine user routine leaves the arrangement 

vulnerable to attacks. 

(Chowdhury et al., 2017) [41] Forwarded a novel technique to e An authentication failure occurs from the 
strengthen the access control mechanism passwords cached in various newest browsers. 
based on passwords. e User adoptability is not up to the mark as more 


things need to be remembered by the user, 
unlike the existing system. 
e Susceptible to keystroke attack. 
(Yavuz et al., 2017) [46] Presented a_ sensitive data leakage e Small data-set has been contemplated. 
prevention mechanism. 





3. OPEN ISSUES 

After presenting the study of various security schemes available in access management as 
complemented by researchers, it can be concluded that there still happen to be loopholes in the offered security 
solutions. The challenges identified range from security vulnerability to computational complexity to user 
adoptability. Conclusively, the progressive review conducted will end with the following open issues: 

a) Reduced user adoptability persists due to extra hardware requirements existing in the form of smart cards, 
specially featured hardware [13], [21], [40], [38], [43]. 

b) Prominent processing power and execution time subsist [21], [22], resulting in subsequent incompatibility 
to operate on generic mobile devices. 

c) Databases used to train the biometric recognition schemes are far from the data that exists in the real world 
[33], [39], [40], [46], thus, offering reduced accuracy when such solutions are exposed to realistic data. 

d) Behavioural biometrics ease a user in terms of user adoptability [11], [33], [36]; however, the accuracy of 
such systems drops abruptly when user behaves inversely. 

e) Inability to protect against various threats [11], [22], [37], [42], [44], which smart mobile devices are 
susceptible to, like touch-logger/key-logger, liveness detection, mimic attacks, etc. 

f) Choosing a suitable set of biometric characteristics is a critical challenge in case of biometric 
authentication particularly when considering multi-modal biometric security schemes [13], [22], [33], 
[39], [46]. Designing reliable authentication systems capable of selecting or deciding on an appropriate 
biometric set exists. 

g) Performance analysis on the mobile platform has not been conducted yet [11], [36], [39] [40]-[44] resulting 
in a lack of benchmark. Thus, impeding the implementation of such schemes on generic mobile devices. 


4. CONCLUSION 

In this paper, an appraisal of prior authentication techniques centred on biometric and non-biometric 
approaches have been performed. The substantial contributions and drawbacks of the respective security 
solutions have been particularised explicitly. All the authentication schemes reviewed were found to be lacking 
in one context or the other. The need for such a security solution persists that should be able to thwart not only 
the contemporary threats but also offer continued support without bowing down to progression in technology. 
At the same time, user ergonomics should not be ignored and treated with equal importance. Besides, open 
problems and challenges need to be deliberated while designing such systems with the hope to drive further 
research in the area. 
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